Thursday, December 20, 2012

Every year the UK Cyber Security community get together at Royal Holloway for a day of talks just before Christmas; all funded by Hewlett-Packard. And today is no exception. Indeed this is the 23rd such event. The main purpose of the event is for everyone to meet and discuss issues, opportunities and share experiences of the proceeding year. Most of the participants are the thought leaders from the UK Cyber Security industry, as well as a few academic hangers-on like myself.

A regular part of the proceedings is a pen-and-paper cryptographic challenge set for the audience by someone in HP Labs. This is called the Zaba Memorial Challenge, in honour of Stefek Zaba an ex-HP Lab'y who used to set the challenge in the past. Stefek is a much missed member of our community in the UK; and the regular challenge allows us to remember him in a small way.

The talks were given by John Madelin (Area VP for EMEA at Verizon), James Lynne (Director of Technology Strategy at Sophos and David McGrew (Fellow at Cisco). Most of the talks are more focused on business issues rather than technology and scientific issues. Most of the interest I find in the day is this exposure to other views.

John, who talked about the "Business of Security", had some interesting anecdotes about how the younger generation are adopting different, new technologies, compared to our generation. For example, email is often not used at all by people under the age of 20. This is the third talk I have attended at which this quite startling observation (for me) has been made. This has widespread impact on the increasing use of "Bring-Your-Own" device to work; which is only going to accelerate as the generations change. An interesting graph was the growth in cloud based service takeup in the
BRICs countries compared to the tradional high tech economies. John
discussed the security priorities of companies in North America; a
regular survey showed that Cloud Security was the top concern,
displacing Intrusion Detection from the previous years top spot. Indeed
IDS had dropped off the top ten list; which was dominated by concerns
about mobile phones (security and malware), tablet security and so on. Another interesting point made was the difference in technology adoption by the BRICs countries, i.e. Brazil, Russia, India and China. This is because such countries do not have such a sunk investment in legacy systems, and so they can adopt new technology quicker. He discussed how companies spend money protecting against non-existant threats; but which they feel more comfortable on spending money on. They then miss out on protecting against the real threats which provide the greatest risks.

James, talked about "Hacking cyber crime and deja vu" a really cool talk describing a number of attacks which are out there in the wild. A nice histogram (albeit a 3D one) presented the growth in unique pieces of malicious code found per year. Most of this code is distributed by SQL injection into web pages; which is surprising as this weakness has been known about for many many years. A nice description was given of a malware "service" based in the cloud which monitors users computers; and when the malware is detected it phones back to base to enable a new version of the malware to be distribtued. This is an example of the increase in the sophistication of the software used in malware. Annother example was some extortion/ransom based malware which encrypts your files and then asks for you to pay up to get access to the password; and, as an added bonus, if the victum does not pay up the criminal places increminating files on the victims computer and then informs the police of their existance. The talk went on to discuss various other criminal activities which were very close to the old Digicrime joke website; but were scarily real. Most of the rest of the talk discussed an investigation into a specific cyber criminal and how various security weaknesses in photo uploading sites, social media sites etc were used to track them down.

David, who gave a talk at the workshop organized by Kenny Paterson and myself earlier in the year, gave a talk today on "The Vernam cipher is better than Quantum Key Distribution". David's background is in Physcis, but he made a switch to Info Sec and has concentrated on communications security since, and so he was particularly well suited to discuss QKD technology in the real world. David's basic thesis was that there is too much hyperbole about this; with quotes like "QKD will make the internet unhackable", and that is is "absolutely unbreakable", statements which the Info Sec community knows to be false. He presented a set of ten goals that might want from a system to enable secure communication; he then showed that QKD provided very weak (or no) coverage of all bar one of these goals. In fact the only thing for which QKD did well was that it minimized computational assumptions; but even then this is not true since most QKD systems work in a hybrid manner. David compared QKD to building a type out of concrete, it resists punctures but does little else very well. He ended by discussing what would happen if Quantum Computers became a reality; here his thesis was that one could switch to "postquantum" schemes such as those based on lattices. In particular as long as one-way functions still exist we can use digital signatures. In such a situation he claimed that there was still no business reason to adopt QKD.

Tuesday, December 18, 2012

The conference concluded today with three contributed talks (including mine on the security analysis of an open car immobilizer protocol stack) and one invited talk. Andrea Saracino presented a new method to classify the security of Android applications which could make it easier for users to review the threats involved with the installation of individual apps. Liqun Chen talked about the re-evaluation of attacks on Direct Ananymous Attestation (DAA) schemes, which have been specified for usage with TPMs.

The last talk was by Christof Paar on four very interesting pieces of practical security work (two "constructive" and two "destructive") ranging from work on securing vehicular networks (VANETs) to the breaking of bitstream encryption in FPGA devices.

Someone recently pointed out that perhaps I should blog a bit more on our own Crypto Blog for Bristol, so have decided to put finger-to-keyboard to pen this end of year message. Not quite up to the standards of the traditional christmas message from Her Majesty, for example this blog does not come in 3D.

So looking back on 2012 what has been the highlights for me? Perhaps most interesting has been the raising in profile of the whole area of "Cyber Security", not only in the UK academic community but also world wide and in the general media. There is a now a widespread understanding that as a society we are ill equipped to deal with the threats posed in the new online world. Whilst some areas are well developed scientifically (for example cryptography is founded on well established scientific principles and lines), other areas of information security are less well ground in science. Indeed many problems in information security cannot be solved by technical means alone; thus we need collaboration with other disciplines such as sociologists, economics, policy, psychology etc to solve many of the problems we face.

But progress is being made:

In the UK an initiative by EPSRC and GCHQ has set up the "Centres of Excellence in Cyber Security Research", of which Bristol is one of the first eight. This initiative aims to not only recognize the excellent research in various disciplines being carried out across the UK, it also aims to bring the community together so as to achieve more. We are using our granting of a centre to try to bring together the interested parties in the so-called "Cyber Corridor" along the M5 in the UK. Alongside this motorway are a number of large companies, SMEs and govenment departments with an interest in Cyber Security. So we are hosting a regular series of evening events to bring this community together.

A major issue is one of capacity building of the human capital in the area. Many of our problems in this area stem from poor provision in all areas of our education system. Thus another welcome development in 2012 has been the political, educational and industrial push to finally do something about the provision of computing teaching within schools in the UK. Basicly for the non-UK readers this is to move provision from something akin to "Digital Literacy" to a more "Computer Science" based curriculum. This is vital as almost all high powered jobs in the future will be driven by the concept of computational thinking. Eventually the changes in the school curriculum will feed through, and we will have a better trained population to deal with the challenges we will face in the future.

In the area of cryptography the highlight for me has been the rapid advance in the area of Fully Homomorphic Encryption (FHE). The year has seen some major advances, and publications of various techniques. For example we have had various simplifications of the basic ideas from Brakerski in relation to scale invariance, the publication of the Brakerski, Gentry and Vaikuntanathan (BGV) leveled FHE scheme, a deeper understanding of the ring-LWE problem and how to implement schemes based on it by Lyubashevsky, Peikert and Regev. There have also been advances in computational techniques; here Gentry, Halevi and I have shown one can compute homomorphically with only polylogarithmic blowup in terms of computational cost, we have demonstrated that a leveled Somewhat Homomorphic scheme can compute a high degree functionality, and we have shown (with Peikert) how to switch between different ring representations. All of these advances have enabled us to bring the practical goal of FHE closer to reality.

However, perhaps the most interesting outcome of the work on FHE will not be to FHE itself. The interest in FHE has provided two key improvements in other areas of cryptography:

All FHE schemes are based on lattices and as such are resistant to known quantum algorithms. One by product of the current interest in lattice based schemes is that there is now an efficient quantum secure digital signature scheme based on lattices.

In joint work with Aarhus the Bristol team has developed a highly efficient Multi-Party Computation protocol which outperforms (both in terms of security and performance) all existing practical instantiations. The protocol amazingly uses FHE technology to make it go faster; which given the current state-of-the-art in FHE performance is at first sight quite surprising.

So what else has Bristol been working on? Quite a lot it turns out, as a look at our list of publications will show. Ranging from very theoretical work through to very applied work. We have looked at various real world protocols (TLS, EMV, the Helios e-voting protocol), deployed products (J2ME installations, Android smartphones), as well as examined issues related to DoS attacks and Role Based Access Control.

Finally, I return to the theme at the start. When 2012 started it would have appeared that the major media interest would focus around the 100th anniversary of the birth of Alan Turing; and indeed there has been a lot of media attention devoted to this event. However, a quick glance at any major media outlet will reveal that probably the major story has been the coverage of all things Cyber Security related. Be they the recent story on the pigeon cipher through to major attacks like the follow on from the Stuxnet incident. It would seem that not a week goes past without some Cyber Security related story appearing on the BBC website at least. Whilst in some sense this can be construed as bad news,on the other hand "all publicity is good publicity". After all, raising awareness will encourage more students into the area, will the profile of the issues amongst the general population, will produce demand for solutions to the problems we face and will encourage more people to come and innovate.

Monday, December 17, 2012

The fourth installment of InTrust has made it out of Beijing and is currently being held at Royal Holloway, University of London. The first day featured three contributed talks balanced by three keynotes and a panel session.

For me, the highlights of the day were a practical demonstration of Nicolai Kuntze, who showcased their implementation of establishing trusted connections in mobile ad-hoc networks leveraging Trusted Platform Modules (TPMs). The interconnections of three nodes in the lecture theatre (two embedded ones with a hardware TPM and a laptop with a simulated TPM) were displayed and updated in real-time on the projector. Once the software configuration of one of the embedded nodes was changed to a non-trusted setup (by connecting a USB stick to it which in turn led to the execution of non-trusted code), its TPM detected this change via updates to its PCR(s), which in turn locked out use of the communication key and caused the other two participants of network to drop their connection to the node and to reject future attempts by it to reconnect. Amazingly enough, the demo went on smoothly to all our surprise (and at most Nicolai's). I guess the demo effect is already on Christmas break :-)

The second highlight was the panel discussion of Charles Brookson, Nicolai Kuntze, Kenny Paterson and Graeme Proudler (chaired by Shin'ichiro Matsuo) about mobile device trust. The participants shared a rather pessimistic view on the adoption of sound security mechanism in future mobile devices, as security is often not regarded as a primary goal of a device/system, but rather as a cost factor which needs to be minimized (or eliminated). Only in area's where the major stakeholders are actively aware of the security issues, adoption of security is facilitated. One example given was the "bring your device to work" use case, where companies have a vested interest in keeping their infrastructure secure despite having connections to employee's devices not under the company's control on the one side, and employee interests of keeping their personal data on the device protected from access of the company.

Monday, December 10, 2012

Indocrypt 2012 is currently on in Calcutta, India. I am there as an invited speaker, along with Vinod Vaikuntanathan and Orr Dunkelman. I expect my invite has more to do with my good friend Steven Galbraith being programme co-chair than anyone wanting to hear me speak. In any case the hospitality and organization shown by our hosts has been amazing. Unlike the major conferences, conferences like Indocrypt and Africacrypt always have a great deal of speaker/audience interaction outside of the main talks and it is always great to see new faces joining the subject.

The programme is slightly biased towards more symmetric cryptography style areas; an area I am not really expert in. However, one highlight in this area for me was a tutorial on the RC4 cipher and various cryptanalytic results given by Subhamoy Maitra. This complimented two tutorials given the day before the conference started by Steven Galbraith on lattices in cryptography and by Francisco Rodriguez-Henriquez on hardware design for cryptography. Francisco's talk gave a gentle introduction to the different issues one faces when moving from a mindset of software implementation to hardware implementation; as well as an interesting subsection on implementation of a length preserving mode of operation using a tweakable block cipher.

The first morning was however much more "up my street". The first session being particularly interesting, with four very good talks. Focused around the loose theme of protocols, the four talks considered completeness theorems for MPC, aspects of the Fiat-Shamir transform from Sigma protocols to NIZKs, a look at the BB84 QKD protocol and leakage resilient MPC protocols.

The BB84 talk, by Arpita Maitra, was particularly appealing as it showed how a simple observation could be overlooked for a long time. The basic idea was that the original BB84 protocol sends four qubits per agreed key bit (essentially), a problem related to the resulting security gaurantee was found in this a while back and a modified protocol was presented which sends six qubits per key bit. However, what the Indocrypt talk showed was that if one repeated the two protocols and looked at the bit-security per qubit sent (which is an obvious metric used in other areas of cryptography) then the original four qubit BB84 protocol turns out to be better.

Vinod Vaikuntanathan gave a nice invited talk on recent advances in Fully Homomorphic Encryption. Such talks are now becoming very accessible, although perhaps I am not the best person to comment on this. In the past explaining the basic idea behind the original scheme of Gentry was challenging in a one hour slot. But now with the advent of the LWE based schemes, and a better understanding of how the different ideas fit together, such talks are I think more accessible to a general crypto audience. Of course this talk was aided in this respect by Vinod's standard brilliant delivery, which makes even the most complex concept look effortlessly simple.